Healthcare // Security & Privacy
News
5/28/2014
08:00 AM
Connect Directly
RSS
E-Mail
100%
0%

Healthcare IT Security Worse Than Retail, Study Says

Bad news for healthcare community: New study shows retailers like Target and eBay are more secure than many healthcare organizations.

Healthcare Dives Into Big Data
Healthcare Dives Into Big Data
(Click image for larger view and slideshow.)

Healthcare organizations are rife with insecurity, and it's only a question of when a Target-like attack puts millions of patient health information (PHI) files on the black market, a new study suggests.

A large-scale attack within the healthcare industry could put patients' safety and lives at stake, cautioned Stephen Boyer, CTO of security rating firm BitSight Technology, in an interview. Despite increasing awareness about these risks, healthcare organizations far behind their peers in other vertical markets, Boyer said, citing a BitSight study titled Will Healthcare Be the Next Retail?, released May 28.

Of four industries the study analyzed, healthcare saw the largest surge in attacks and was slowest to respond, taking more than five days to remediate security issues. By comparison, finance took about 3.5 days, and retail and utilities combatted issues within approximately four days. Some healthcare organizations led the market, using best practices and adequate resources, but as a sector, healthcare is weaker than others.

According to Boyer, however, that may be improving. "I don't know of a major breach of healthcare records, but stay tuned. I know that certainly there's worry about privacy. I see more transparency going into the process and I think that's going to put the right incentives in place," he said. "The Target breach was just a watershed moment in the industry. It's changing conversations everywhere we go."

[Are you prepared for insider threats? Read Colleagues In Cuffs: When Employees Steal Patient Records.]

For its report, BitSight analyzed the security performance of Standard & Poor 500 firms based on data such as communication with a botnet, malware distribution, or spam propagation, and determined that last year, 82% of organizations suffered a security compromise. Within the finance, utilities, retail, and healthcare and pharmaceutical industries, healthcare showed the worst performance overall, according to the study.

(Source: BitSight Technology, 'Will Healthcare Be the Next Retail?')

(Source: BitSight Technology, "Will Healthcare Be the Next Retail?")

PHI has real value to thieves. On the black market, Boyer said, a patient's electronic medical record sells for about $20; by comparison, credit card data sells for approximately $1 per card. Some patients could be embarrassed if their health records become public, opening them to blackmail or other victimization. Thieves also sell PHI to those without insurance.

"You can go and get healthcare. You can go and get treatment. You can buy drugs," Boyer said. "Obviously there's fraud. Those visits, those prescriptions, go on your record. That's moving cybertheft into life and death."

Unlike finance firms that have secured money since their earliest days, healthcare organizations are typically comparatively new to the world of data protection. Their mission is to deliver care, not safeguard bytes of data, Boyer explained, so awareness, cognition of the full range of insecurities, and resources are not available across the industry.

The Department of Health and Human Services tackled the issue with a stick: Bigger fines for breached organizations. Earlier this month, for instance, HHS Office for Civil Rights (OCR) settled a $4.8 million HIPAA breach case with New York and Presbyterian Hospital and Columbia University. That scrutiny may only increase in light of retailers' recent breaches, according to Paul Trulove, VP of products at SailPoint.

"On the heels of such well-known data breaches at Target and even [more recent] news of the cyberattack on eBay, auditors are going to put even more scrutiny on healthcare organizations as the data they house is even more valuable than consumer data," he said in an interview.

Rules such as HIPAA and the HITECH Act have generally done a good job of protecting patient data. Often human error causes breaches, Michael Raggo, security evangelist at MobileIron, told InformationWeek.

"I will never say never, but the healthcare industry has seen a disproportionately low instance of cyberattacks, and rather a higher proportion of accidental data loss through well-intentioned but risky user behaviors on the device or lost devices. A major reason for a low instance of cyberattacks is because stringent HIPAA guidelines are a core part of the data security and compliance strategy of all healthcare organizations in the United States," Raggo said. "That said, cyberattacks are increasing, as are the number of attack vectors organizations need to protect."

Likewise, Boyer added, older healthcare systems may not include the latest technological safeguards. In fact, he pointed out, one healthcare official recently received an implementation pitch that included computers running Windows XP, an operating system Microsoft no longer supports with security upgrades.

"I know there are some key conversations going on now on things that will improve [healthcare security]," he said. "I'm less optimistic they'll happen quickly. This is not a super agile environment inside hospitals and health organizations. It's going to be difficult to turn around."

If a big breach occurs within healthcare, Boyer warned, patients could react by switching providers or insurers, or being less forthcoming with physicians -- even to the detriment of their health.

Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Ariella
50%
50%
Ariella,
User Rank: Ninja
5/28/2014 | 8:43:27 AM
healthcare security
Not very reassuring. It's a problem that really needs to be addressed.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 9:08:09 AM
Re: healthcare security
Personally I find it absolutely terrifying. There are, however, a few glimmers of hope here.
  • One, as Stephen stressed throughout the conversation, this is an average and some healthcare providers are better than others. Several (including some I've interviewed for InformationWeek) integrate security into everything they do. 
  • Patients are getting more access into their records, giving us the opportunity (if not responsibility) to review them for accuracy. Of course, we've seen this work with varying results in the financial sector; it's challenging to get your credit report fixed sometimes. I cannot imagine how easy it will be to get your EHR amended if it's wrong due to an inaccuracy for your treatment or due to hacking/misuse of your data by another.
  • These increased penalties should make all healthcare providers, large and small, more aware and concerned about breaches and security. However, you can beat companies over the head with examples like Target, eBay, Michael's, TJMaxx, and more and they still make simply fixable errors, so I don't know how much weight this argument carries until an organization itself gets hit. Then everyone within THAT organization definitely cares. But does their competitor? I don't know.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 10:11:09 AM
Re: healthcare security
An interesting side point: The company really expected Utilities to perform worse than other verticals. As you can see from the chart (and from the full report, if you access it), that was far from true! Good news for our grid. Bad news for retail and healthcare.
moarsauce123
0%
100%
moarsauce123,
User Rank: Ninja
5/29/2014 | 7:12:09 AM
Re: healthcare security
Not disagreeing, but keep in mind that health care providers are experts in, well, health care. They are not IT experts and with the slim margins in that industry they cannot afford to hire even more staff. Administration is already the main driver of health care cost, care itself isn't that expensive.

I see the responsibility here at the system vendors. It is common practice to push the responsibilityfor data security to the customers, but it really is a disservice to everyone.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 9:49:37 AM
Re: healthcare security
I agree with you that security is NOT what healthcare providers typically are good at. It's one reason I, personally, think many should seriously consider cloud as an option. Now, that doesn't mean rushing out and choosing any old cloud provider. It requires due diligence, a strong SLA, a deep dive into a cloud service provider's security (physical and cyber), as well as a long look at the company's financial resources. But partnering with a firm that solely provides data services and security can make a lot of sense for healthcare organizations, especially those without the resources to hire the right number and type of internal staff and buy adequate tech of their own.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 10:01:51 AM
Re: healthcare security
How can vendors make their systems more secure, @moarsauce123? Do you think they should automatically encrypt all data, for example? Do you know of any vendors who are doing a better job than others?
SarahBeene
50%
50%
SarahBeene,
User Rank: Apprentice
6/10/2014 | 9:29:59 AM
Re: healthcare security
I'm well and truly on the encryption bandwagon! As the owner of a small practice, I am frantically aware of the complications and risks of handling patients PHI. I appreciate the volume of data we handle isn't as as high as the Standard & Poor 500 firms used by BitSight in their study, however studies like this always worry me. We want to be able to reassure our patients as I would hate to think they would hold details back out of worry, especially if it is detrimental to their health.

I have tried to eliminate as many manual processes as possible to keep everything water-tight, using cloud services like sfax as they have ensured HIPAA compliancy. Although as Michael Raggo has said, human error can cause breaches, and I doubt we'll ever be able to fully protect people from that. For now I'm going to keep encrypting all PHI, especially when shared with other departments!
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/31/2014 | 4:34:32 PM
Re: healthcare security
That's really great to hear, @SarahBeene. You almost wish there was a Good Housekeeping seal for practices! Sounds as though you'd be on the list!
ANON1243418786338
50%
50%
ANON1243418786338,
User Rank: Apprentice
5/28/2014 | 10:03:59 AM
Why ever store credit card numbers?
When I hear about credit card information being at risk at retailers, etc, I wonder why retailers ever store credit card numbers. Once they have an approval from the credit card company they no longer need the card number.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/28/2014 | 10:09:49 AM
Re: Why ever store credit card numbers?
I've wondered the same thing, @Anon. They do want to store all the related information: our names, addresses, and any other data they can collect (such as age, gender, amount spent, what we bought, time of day, etc.), which they use for a variety of reasons such as marketing, inventory, and so forth. You'd think, though, they could extract and delete the CC data from the information they 'need,' wouldn't you? On e-commerce sites, users typically have the option of saving or not saving their CC data, often by creating a reusable account or shopping as a guest. Why don't we have that same option as a customer of a brick and mortar store?

Of course, when it comes to healthcare, organizations need to keep all that information as part of their effort to improve care, reduce or eliminate errors (such as prescriptions, allergies, etc.), and streamline care across sites. Finally, providers are not allowed to request SSNs -- although I've found many still include that information on their forms (I just leave it blank since I figure it's for collection agency use as much as anything). Since healthcare orgs must have all this information (although there's no reason for them to store CC data, either), it's imperative for them to safeguard our data.
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Moderator
5/28/2014 | 11:12:30 AM
Re: Why ever store credit card numbers?
@Alison, Perhaps my understanding is flawed, but I thought the stolen CC info from B&M stores was stolen in line, not from a digital storage medium. Either from the POS device or from intercepting batches.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 10:05:02 AM
Re: Why ever store credit card numbers?
@Jon, I believe you're correct about those stolen CC numbers. This report didn't get into how healthcare data is being stolen. Information from HHS seems to indicate most is taken due to lack of encryption when hardware -- laptops, smartphones, etc. -- get stolen or lost. But this report suggests healthcare organizations WILL be attacked in a much more organized fashion. And if/when that happens, the general lack of preparedness will lead to a huge loss of personal health information, much bigger than anything we have yet seen from the world of retail.
JonNLakeland
50%
50%
JonNLakeland,
User Rank: Moderator
5/28/2014 | 11:09:02 AM
Re: Why ever store credit card numbers?

Convenience. The same reason most websites still use passwords instead of multifactor authentication. Consumers are more likely to make impulse buys if their CC info is already stored. Consumers are more likely to make use of a website, forum, or other digital archive if they can just click login and not have to go looking for a text message or authenticator. The goal for 99% (fictional statistic) of the internet using populace is as much security as does not require any personal responsibility or effort from them for being secure.

In my experience most websites that store your CC info also give you the option to not. Most websites that allow multifactor authentication also give you the option to not. I'd be personally shocked, based on the security habits of my friends and family, if even 1% of users make use of those options.

moarsauce123
0%
100%
moarsauce123,
User Rank: Ninja
5/29/2014 | 7:07:54 AM
Re: Why ever store credit card numbers?
Also many sites do not want the mandate of having a smartphone to log in. I do not own a smartphone, so SMS based two factor authentication would mean that I could not use these services.

The reason I do not have a smartphone is simply cost. Not cost of the device, but cost of the plan. I don't have the 40$ or more per month to spare for something I really do not need. I am either at home or at work and the time between I am off the grid.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 9:46:57 AM
Re: Why ever store credit card numbers?
You're so right. Many people like the convenience of storing their data, including credit card numbers. And I've seen studies that show the majority of people don't even use a simple four-digit password on their smartphones, leaving them wide open to theft.
chrisbunn
50%
50%
chrisbunn,
User Rank: Apprentice
5/30/2014 | 4:05:20 AM
the unintentional insider threat
Healthcare organizations can help themselves by ensuring better employee education and the right security tools are in place that control and monitor users access to resources on a network. This is for employees own benefit and for that of the organisation they work for.

Why? Because most security problems in most organisations - including healthcare - appear not to be down to malicious attacks, but careless employee behaviour and misunderstandings on what actions are considered to be a security risk. Network Security relies heavily on a user's login credentials - identity is the most important security control for access to organizations resources. 

This goes down to simple limitations, such as preventing two logins on a single user ID taking place at the same time and enforcing access restrictions by location & time. By doing so organizations can help reduce the risk of shared passwords, stop attacks from stolen credentials and ensure all access is attributed to an individual employee. 

 

 

 

 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 9:54:24 AM
Re: the unintentional insider threat
You are SO right, @Chris. Whenever I see reports or press releases on healthcare breaches or take a spin through HHS' Wall of Shame, I am (unsurprised but) stunned at the high percentage of breaches due to employee negligence, such as losing an unencrypted laptop. I don't know if it's laziness, lack of education, overly complex procedures that spawn workarounds, or a combination of factors that lead to these commonplace lapses but it's very disheartening. I think IT and security pros can help their organizations improve security by showing the direct result of lapses: Huge penalties and loss of public trust (and patients?) once these occur. Plus design security solutions that are as user-friendly as possible, while still safeguarding data. Tough but feasible.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
5/30/2014 | 10:07:34 AM
Watch Out, Finance?
Do you think healthcare organizations will become more likely to try and recruit security professionals from finance? Or is healthcare too specialized, their budgets too tight (compared with finance) for this approach to work?
AmandaInMotion
50%
50%
AmandaInMotion,
User Rank: Apprentice
6/2/2014 | 12:07:53 PM
Re: Watch Out, Finance?
I don't know that the establishment finance world is much more terribly secure. All of us are at risk of spying and hacking from both government and non-government actors alike. It's a little lengthy, but this video (https://www.youtube.com/watch?v=vtQ7LNeC8Cs) by Jacob Applebaum, writer at Der Spiegel, explains how the NSA has deliberately made the Internet a less secure place to be over the years. It blew my mind.

Allow me a moment to be trite and say, "It didn't have to be this way." I just think of all the people who need routine healthcare (http://tinyurl.com/oa65dqu) or the people headed into retirement. 

I gain hope, however, in believing that the system really will be so inefficient - like the disgraced VA hospitals - that private alternatives will pop up left and right. They'll have to, otherwise most of us will literally be left with Soviet-quality "health care".
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/2/2014 | 4:04:55 PM
Re: Watch Out, Finance?
You raise great points, @AmandaInMotion, in that perhaps finance isn't a great bastion of security; it's just less bad than the other verticals in the study. After all, banks get hacked and as you say, the NSA has its fingers in just about every pie. 

Personally, I'm concerned about healthcare data and lack of privacy. Almost every day I get a press release touting the use of "anonymized" data by one company, research firm, or university -- and that's data coming from doctors, hospitals, insurance firms, or government. In other words, it's patient data but I don't recall ever agreeing (or disagreeing) to allowing my data to be used in this way. Nor do I know anything about the standards used or not used or what happens when some of these companies go out of business. When my daughter started middle school, I discovered there's a central database where schools can look up kids' vaccinations. The IRS oversees health insurance coverage. And companies troll social media for mentions of individuals' medical complaints, treatments, and symptoms. 
asksqn
50%
50%
asksqn,
User Rank: Ninja
6/6/2014 | 6:10:42 PM
PHI Hack Coming to You Very Soon
Boyer believes the latest Target breach was a "watershed" event?  Evidently, he missed the other two breaches perpetrated inside of three years at Target in addition to the 867,292,654 (and counting) million records breached (that are known) compiled by the Privacy Rights Clearinghouse.  Hacked PHI isn't an IF as much as it is a WHEN, and, when it does happen, consumers can expect the same hemming/hawing and blowing off of the event by both industry as well the lapdog government that continues to look the other way.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/9/2014 | 10:26:50 AM
Re: PHI Hack Coming to You Very Soon
You're exactly right: PHI will be hacked and the fact that the government is moving toward a centarlized database of healthcare records and the possible creation of a healthcare ID number should send alarm bells off. When you have studies demonstrating that healthcare, as an industry, is far less secure than the notably insecure retail market, we should be extremely worried. I don't think we're being alarmist when we say this will have much more dire implications than financial fraud.
HudnallsHuddle
50%
50%
HudnallsHuddle,
User Rank: Apprentice
7/31/2014 | 3:55:19 PM
Headlines and a Sacrificial Lamb are Coming Soon
Leaving security out of the plan to implement these networks and shared partient information is a short sided view to the HealthIT transformation many have underway. Encryption is not the silver bullet to protecting patient information. HealthIT organizations mus be diligent in monitoring behavior, access, use, etc. in order to put the meat behind a meaningful use attestation. I'm quite surprised CFO's are not more stringent in these organizations as they are the ones facing personal charges of fraud. This has gotten personal and not just corporate fines. I believe this is a ticking time bomb ripe to explode. Read more here > http://bit.ly/1zapjjn

 

@HudnallsHuddle
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.